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Abstract 

This paper investigates a quantum version of McEliece public-key encryption 
(PKE) scheme, and analyzes its security. As is well known, the security 
of classical McEliece PKE is not stronger than the onewayness of related 
classical one-way function. We prove the security of quantum McEliece PKE 
ranks between them. Moreover, we propose the double-encryption technique 
to improve its security, and the security of the improved scheme is proved to 
be between the original scheme and the quantum one-time pad. 
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1. Introduction 

Public-key encryption (PKE) is one of the most important research direc¬ 
tions in modern cryptography, and has been widespread used in information 
communication. However, the widely used PKE schemes, such as RSA have 
been threatened by quantum attack. Then it becomes important to construct 
PKE scheme against quantum attack. 

Okamoto et al. [1] constructed the first quantum PKE scheme based 
on subset-sum problem, whose public-key is computed from the private-key 
with Shor’s algorithm for finding discrete logarithm, though the private-key, 
public-key, plaintext and ciphertext are all classical. In [2], a quantum PKE 
is constructed based on a hard problem QSCDff, which has been proved 
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to be one with bounded information theoretic security [3]. By using single¬ 
qubit rotations, Nikolopoulos [4] proposed a quantum PKE with classical 
private-key and quantum public-key. Based on quantum encryption, Gao et 
al. [5] presented a quantum PKE with symmetric keys, with two qubits from 
a Bell state serving as the public-key and the private-key, respectively. Pan 
and Yang [6] constructed a quantum PKE scheme with information theoretic 
security. All these quantum PKEs above are classical bits oriented. However, 
quantum messages also need to be encrypted in some cases. Though quan¬ 
tum key distribution (QKD) plus quantum one-time pad (QOTP) can finish 
the task of encrypting quantum messages, it needs some preshared keys in 
the implementation of QKD. This paper explores the asymmetric scheme of 
this task, and propose a quantum-message-oriented PKE. 

McEliece public-key encryption scheme [7] is based on coding theory and 
its security relies on the difficulty of solving a NP-complete (NPC) problem. 
Though the scheme is a classical PKE scheme, it is believed that it can resist 
quantum attack. Based on its construction, the researchers begin to construct 
PKE scheme in quantum world, for the purpose of encryption of quantum 
messages. Yang [8] proposed the first quantum analogue of McEliece PKE, 
in which the public-key and private-key are classical, however it can encrypt 
quantum messages. Later in 2010, we extend it and present the definition of 
induced trapdoor one-way transformation (OWT), then construct a frame¬ 
work of quantum PKE based on the induced trapdoor OWT. The quantum 
McEliece PKE proposed in [8] can be seen as a special case of the quantum 
PKE framework. In 2012, Fujita [9] also proposed a quantum analogue of 
McEliece PKE based on quantum coding theory, and its security also re¬ 
lies on the difficulty of solving a NPC problem. This scheme also uses the 
classical keys and can encrypt quantum messages. 

This paper studies the security of the quantum McEliece PKE scheme 
which is proposed in Ref. [8, 10], and then focuses on the improvement to it. 

2. Quantum public-key encryption 

Firstly, we define quantum public-key encryption(QPKE) as follows. With¬ 
out loss of generality, the definition is presented for the encryption of quan¬ 
tum messages (The classical messages can be seen as a special case). 

Definition 1: A quantum public-key encryption scheme is described by 
a triplet (<7,£,D), where 
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1. Q is the polynomial time quantum key-generation algorithm. On input 
l n , Q outputs (e, d) in polynomial time, where e is a public key, d is a 
secret-key, and n is a security parameter. 

2. £,V are the polynomial time quantum encryption/decryption algo¬ 
rithms. They satisfy this condition: For every n-qubit message cr, 
every polynomial poly(ri), and all sufficiently large n, 

F(V(£(o,e),d),o) > 1 - 1 /poly(n), 

where F(oi, cr 2 ) denotes the fidelity of two states cri, cr 2 . 

Next, we present the security definition of QPKE. 

Definition 2: A quantum public-key encryption scheme is computation¬ 
ally (information-theoretically) secure, if for every polynomial-size (unlimited- 
size) quantum circuit family C n , every positive polynomial p(.), all sufficiently 
large n, and any two quantum messages cr, o' E Ft m, it holds that 

|Pr[c„(e(i"),£ C(1 »)(<T)) = 1] - Pr[c n (g(i n ),e m (a')) = i]| < -L, 

where £ is a polynomial time quantum encryption algorithm and Q is a 
polynomial time quantum algorithm for generating public-keys. 

3. Quantum McEliece public-key encryption scheme 

3.1. Some notations 

Suppose p = Sme{ 0 ,rp Sm'e{o,ip a mm'\m)(m'\ and G is a k x n matrix, 
then we denote 

\mG) (m'G\, 

m m 1 

where mG is the multiplication of the vector m and matrix G modular 2. 
Suppose x is arbitrary vector in {0, l} fc , then we denote 

p + x = ^2 amm ' l m + x ) ( m ' + ^1) 

mG{0,l} fc m'G{0,l} fe 

where m + x is the bitwise addition of m and x modular 2. 

Suppose a matrix M is a n x n invertible matrix, then denote M~ l as the 
inverse matrix of M. 

Suppose a matrix M is a k xn (k < n) matrix and it is full row rank, then 
it has Moore-Penrose inverse. Denote M~ as one of Moore-Penrose inverses 
of M satisfying MM~ = / (/ is identity matrix). 
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3.2. Scheme [8] 

Quantum McElicce public key encryption scheme is firstly proposed in 
Ref. [8]. This scheme will be briefly introduced before our analysis and im¬ 
provement. 

The quantum key-generation algorithm is the same as classical McEliece 
PKE protocol [7]: Suppose G is a k x n generator matrix of a [n, k , d] Goppa 
code, G' = SGP , here S is a k x k invertible matrix and P is an n x n permu¬ 
tation matrix. We choose ( G',t),t < [yyj as the public-key and ( S,G,P) 
as the private-key. Let Pt is the check matrix of Goppa code satisfying 
GH T = 0. 

Alice selects a random number r of weight < t, and uses Bob’s public-key 
G' with r to encrypt a fc-qubit state p. This encryption can be shown by the 
density as follows. 

p —)■ p o G' —» p o G' 4- r. 

Denote p o G' + r = p c , the p c is the quantum ciphertext. The above trans¬ 
formation is feasible. The reason will be shown later. 

Bob uses his private-key s = (S', G, P) to decrypt the state p c coming 
from Alice: Firstly he computes the state p c o P~ l (=p o SG + rP _1 ) and 
extract the value of rP _1 ; Then he computes p c o P” 1 -j-rP _1 (=po SG), and 
can further obtain the state 

{{p c o P 1 + r P -1 ) o G~) o S' -1 , 

which is equal to ((p o SG) o G~) o S^p = (p o S) o S^ 1 = p. Note that, 
G~ is a Moore-Penrose inverse of G. So G~ is a n x k{n > k) binary 
matrix. According to Proposition 5 in the appendix, the transformation 
a o G~ is infeasible physically for arbitrary n-qubit state a. However, po SG 
is a special subclass of all n-qubit states, which is related to G. So the 
computation (p o SG) o G~ is feasible physically. This will be shown in the 
following concrete scheme, see Eq.(4). 

Next, we show the encryption/decryption algorithms in the Dirac form, 
which is a more understandable way. 

Denote the /c-qubit state p as Then, this encryption can be 

described in the following three steps 

\r)'^^a m \m)\0) —>■ \r)'^^a m \m)\mG') ^ \r)'^^a m \m(B mG'G'~)\mG') 

m m m 

-► |r)|0)^a m |mG'®r), (1) 


4 


where the matrix G'~ is a generalized inverse matrix of G'. Because G' is a 
full row rank matrix, there exists G'~ that satisfies G'G'~ = Ik- This is the 
condition that one can get ’Yhm a, m\ m G') from ^ m a m \m). Alice sends the 
cipher state ctm\mG' © r) to Bob. 

Bob uses his private-key s = (S, G , P ) to decrypt the state coming from 
Alice, 

\s) ^a m |mG / ffir)|0)|0) ->■ |s) ^ a m |mG r ® r)|(mG'© r)P” 1 ) |0) 

m m 

—> |s) ^2 «m|0)|(mG / ffi r)P~ l ) |0) = |s)|0) ^ a m \mSG ffi rP _1 ) |0) 

m m 

-)• \s) |0) J2 «m| mSG ffi rP- 1 ) | ( mSG ffi rP- 1 )# 7 ) 

m 

= |s)10) '^2 a m\mSG ffi rP~ 1 )|rP~ 1 P T ), (2) 


then measures the second register to get rP~ l H T , and find rP" 1 via the 
fast decoding algorithm of the Goppa code generated by G. Bob carries out 
the following transformation on the quantum state J2 m a m\ r nSG (B rP L ) 
according to the value of rP -1 , 

|rP -1 ) ^2 oim\mSG ffi rP 1 ) —> |rP _1 ) ^2 a m \mSG). (3) 


Then he computes 

I s) y^a m |m5G)|0)|0) 

m 

| S )^q m |m^G)|mAGG-)|0) = |s) a m \mSG)\mS) |0) 

m m 

|a) am 10)1 raff) 10) 

m 

\mS)\mSS~ 1 ) = |s) |0) m \mS) | m) 

m m 

l g )|0)|0) 

m 

Finally, the quantum message J2 m ct m \m) is obtained. 




-> 


—>■ 




( 4 ) 
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3.3. Analysis 

Induced trapdoor one-way transformation (OWT) has been defined in 
Ref. [10]. The above protocol satisfies the framework of QPKE based on 
induced trapdoor OWT. Let g(m,r) = 0 and f(m,r ) = mG' © r in the 
induced trapdoor OWT. Here g(m,r ) is a constant function, then the en¬ 
cryption transformation can be simplified as 

U fg (r) = '^2 |0)( m l ® \ m G' © r)(0|. 

m 

The decryption transformation is 

D fg(s ) = l r (/’ s ))(°l ® M(°l ® |0)(/(rn,r)|. 

r,m 

where r(f, s ) denotes a function that is relative to /, s. 

• Firstly, we analyze its security while encrypting classical messages. 

The quantum McElicce PKE scheme can be used to encrypt classical 
message. In this case, the quantum McElicce PKE would degenerate to the 
corresponding classical PKE. The classical McEliece PKE has been studied 
for more than thirty years in modern cryptography, and is believed to be 
secure. Thus, our scheme is secure while encrypting classical messages. 

Ref. [9] believes our scheme is insecure when encrypting classical messages. 
Though the McEliece PKE has not been reduced to NP-complete problem, 
here we discuss the difficult from a new view when attacking the ciphertext 
mG' © r. Attacking cipher mG' © r is equivalent to attacking m © rG'~. 
Now,we show the difficulty of decoding m © rG'~. 

As it is in McEliece PKE scheme, we know G' = SGP , where S, P are 
both invertible matrices, G is generator matrix of Goppa code and is full 
row rank, so G' is also full row rank, and then it has Moore-Penrose inverse. 
Suppose G A is one of Moore-Penrose inverses of G' satisfying G'G = /. In 
fact, G{~ can be obtained by solving the linear equations G'X = /. Then all 
the Moore-Penrose inverses of G' can be written as the form 

G'~ = G'g © U © G[-G'U, 

where U is any n x k binary matrix. It can be verified that G'G'~ = /. 
In classical McEliece PKE scheme, the cipher c and plaintext m satisfy the 


6 


relation c = mG' © r, where r is a binary row vector of weight t. Suppose 
Eve finds another Moore-Penrose inverse of G', denoted as Gff , then he can 
compute cGff = m©rG 2 ~. Denote G 2 ~~ = (e± ■ ■ ■ e*), where each e* is a binary 
column vector. Then cGff can be represented as (miffir-ei), • • • , (mfc©r-efc). 
If each column e* of G 2 ~~ has more zeros (it means the Hamming weight of 
e % is small enough), r • e* would equal to 0 with large probability, then its 
z—th bit mj © r • e* would reveal the z— tli bit of original plaintext with large 
probability. Notice that e* = gi © (/ © GffG')ui , where r/ 8 and zq are the 
z—th column of G-f and 17 separately. Here ^ and / © G^G are known, 
but Ui is unknown. Now Eve have to face a problem: finding zq, such that 
gi © (/ © G{~G')ui has weight smaller than a given value. This is just a LPN 
problem, which is a NP-complete problem. 

Remark 1: This problem can be seen from another view. / © Gf~G’ is 
a n x n matrix, and gi, Ui are two n x 1 vectors, but zq is unknown. So 
the above problem can be restated as follow: how to select some columns of 
/ © G{~G', such that their summation is closest to vector g{l This is just a 
closest vector problem (CVP), which is a NP-hard problem. 

We have tried numerical experiment following the above attack, and it 
seems that this kind of attack is invalid. This attack is reduced to an optimal 
problem (CVP): Ending zq, such as gi © (/ © G{~G')ui (notice that it equals 
6j) has weight smaller than a given value. Suppose the parameters n = 
1024, A; = 524, t = 50 in the McEliece PKC scheme. Firstly, because zq has 
2 1024 choices, both the exhaustive search and random search are not realistic. 
While choosing some small parameters such as n = 60, k = 30, the exhaustive 
search can reduce the weight of e, to 1 with probability 2%, and the random 
search may be slightly better. With the greedy search, we obtain e* of weight 
225 on average. In this case, Pr[r • e* = 0] ~ 0.5 + 0.1 x 10 -13 , here r is 
a n-bit random vector of weight t — 50. Thus, the attack presented here is 
invalid. 

• Secondly, we strictly prove the relationship between the security of quan¬ 
tum PKE protocols and that of its classical counterpart. 

Theorem 1: The quantum McEliece PKE is at least as secure as classical 
McEliece PKE protocol. 

Proof: Suppose there is a quantum algorithm A, which can efficiently 
transform the cipher state a m \mG'(Br) into quantum message a m \m). 
In order to decrypt arbitrary classical cipher moG' © ro, we firstly prepare a 
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quantum state \m 0 G' ©r 0 ). Then, the quantum state \m 0 G' ©r 0 ) is an input 
to the quantum algorithm A, and will be transformed into the quantum state 
|mo). Finally, the classical message mo is obtained via measuring the output 
quantum state |mo). Thus, if there is an attack to quantum McEliece PKE, 
there would be an attack to classical McEliece PKE. Therefore, quantum 
McEliece PKE is at least as secure as classical McEliece PKE protocol. □ 

Since the functions f(m,r) and g(m,r ) are classical functions, finding 
the trapdoor s is a classical computational problem. Thus, the security of 
QPKE protocol based on induced trapdoor OWT depends on the onewayness 
of corresponding classical trapdoor one-way function. 

Now we can arrive at the following conclusion. 

The security of a QPKE protocol based on induced trapdoor OWQT is one 
between that of corresponding classical PKE and the onewayness of related 
classical one-way function. In other words, the security of a QPKE given 
above is not stronger than the onewayness of related classical trapdoor one¬ 
way function, and is not weaker than the security of its classical counterparts. 

• Finally, we analyze its security from the aspect of attack. 

The attacker can have two different strategies: 1) attacking the secret key 
from the public key; 2) attacking the ciphertext J2m a m\ m G' © r). 

If the attacker adopts the first strategy, the difficulty is the same as that 
of attacking the classical McEliece PKE, because the quantum PKE scheme 
uses the same key-generating algorithm as its classical counterpart. 

If the attacker adopts the second strategy, we should analyze what can 
be extracted from the ciphertext '5Q Jm OL m \ m G' © r). 

Theorem 2: The strategy 2) is inefficient when attacking the ciphertext 
of quantum McEliece PKE scheme. 

Proof: Because k x n matrix G' is public and full rank k (k < n), the 
attacker can compute its generalized inverse matrix G'~, which is a n x k 
matrix. Thus, the attacker can perform the following processing on the 
ciphertext. 

y^a m \mG' ©r)|0) ->• a m \mG' © r)|m © rG'~) 

m m 

—» |r © rG'~G') ot m \ m © rG'~). (5) 

m 

Then, the attacker can measurement the first register, and obtain the value 
of r{I®G'~G'). Iu addition, he can also obtain a new ciphertext Yhm a ml m © 


rG '~), which can be written as X{rG'~) J2 m a m|^) or ot m \{mG'®r)G'~). 

From the following two propositions, the proof can be finished. 

Proposition 1: Given the values of r(J @G'~G') and I ®G'~G r , solving 
the value of r is a LPN problem. 

Proof: Now we know the attacker can obtain the values of r(/ © G'~G') 
and / © G'~G'. Because G'(I © G'~G') = G' © G' = 0 and G' ^ 0, it can 
be inferred that n x n matrix / © G'~G' is not full rank. So only a little 
information about r cannot be computed from the values of r(J © G'~G') 
and / © G'~G'. However, the value of rG'~ is still hard to compute. Denote 
v = r(/ © G'~G'). Then, computing the value of rG'~ is a NPC problem: 
given the values of v,G', r is a random binary vector, how to compute the 
value of rG'~ from the equation v = r © ( rG'~)G'l It is just a LPN problem 
which has been discussed above. □ 

Now we know the attacker can transform the ciphertext a m |mG"©r) 
into otm\{rnG'®r)G'~). However, it does not hold for any quantum state 
\m). In other words, the transformation —> ^2 m C(m\ m H) 

may be physically infeasible. The proof is given in the appendix. 

Proposition 2: The state X{rG'~) s ^ jm a m \m) is unrelated with the 
plaintext X] m a m |m), from the view of fidelity. 

Proof: According to Fujita’s analysis [9], X basis measurement on the 
two states X{rG'~) J2 m o: m \m) and J2m a m\ m ) can result a same statistical 
probability. This is obviously correct since the two states differ only in some 
bit-flips [12], So it is expected that the attacker may obtain some information 
about the quantum messages by quantum measurement on X ( rG '~) Yl rn a m\^n)- 
Though there exists a vulnerability in quantum McEliece PKE, it should 
be stressed that similarity of these two states X(rG'~) a m\^n) and Yhm a ml m ) 
is described by the fidelity of them: 


F(e) 


l x ( e )l 


J2a* m a n {rn\X(e)\n) 

m,n 


m 


( 6 ) 


where e = rG'~ is a random string depending on the error r. It can be seen 
that F(e) may equals to any value from 0 to 1, then, generally speaking, 
identical probability distributions do not means identical states. □ 

Remark 2: The attack to the state X(rG '~) Xl m a m|ro) can also be ana¬ 
lyzed from information theory. According to Holevo theorem [12], the quan- 
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turn measurement on X(r 1 G , 1 _ ) a m \m) can obtain at most /c-bit infor¬ 
mation, but h as amplitudes a m . Suppose each amplitude is 

accurate to / decimal places, then each a m can be seen as /-bit complex 
number which has both real and image parts, so it is necessary to obtain 
2 1 x 2 fc -bit information for determining an unknown state ^ m a m |rn). It can 
be seen that even Alice encrypts the same quantum state polynomial times, 
the attacker can obtain at most a polynomial-bits information. It is still hard 
for her to determine the state Y!m a m\ m ) ■ 


4. Double-encryption scheme 

4-1. Scheme 

As stated by Fujita [9], the vulnerability of quantum McEliece PKE is 
due to the fact that our PKC introduces no phase encryption. In this section, 
we propose an improved variant of the quantum McEliece PKE scheme using 
double-encryption technique. 

The encryption is briefly stated as follows. The quantum McEliece PKE 
is used twice, however, the second encryption uses the different parameters 
from the first. 

1. Alice uses two pairs of public-keys (G \, ti) and ( G ' 2 , t 2 ). She firstly uses 

the first public-key (G'^ti) to encrypt the /c-qubit message 'Y!m a m\ m ), 
and obtain a n-qubit state a m \mG[ © r\). 

2. Then she performs an Hadamard transformation H® n on this state and 
obtain H® n ]T m a^mG^ 0 rq) = E m a mEfc (- 1 ) HmG1 ® ri) \ k )- 

3. Finally she uses the second public-key (G' 2 , t 2 ) to encrypt the n-qubit 
quantum state H® n cumlmG^ © ri), and obtains a n'-qubit quan¬ 
tum state, which is the ciphertext of the improved scheme. The final 
ciphertext is as follow: 


<*m J2(-l) HmG ' l(Bri) IfcG'a © r 2 ) 


E 




i©ri) 


\kG' 2 © r 2 ). 


( 7 ) 


Bob receives the ciphertext, and performs the following decryption pro¬ 
cess. 
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1. Bob uses the second private-key to decrypt the received n'-qubit quan¬ 
tum cipher state, and obtain a n-qubit state a m ^ fc (—l) fc '( mG i 0ri ' ) | k) 

2. Then he perforins an Hadamard transformation H® n on the n-qubit 
state. 

3. Finally he uses the first private-key to decrypt and obtain the fc-qubit 
message. 

4-2. Analysis 

Firstly, it should be noticed that, our scheme is more simple than the 
scheme proposed by Fujita [9]. Fujita’s scheme is constructed based on quan¬ 
tum error-correction code, which has the ability to correct quantum errors. 
However, the encoding in our scheme uses classical error-correction code and 
cannot correct quantum errors, and has less redundance, so its encoding 
circuit needs less ancillary qubits and is more simple than Fujita’s scheme. 

Now, let’s consider the security of double-encryption scheme. From the 
view of Alice, the attacker can obtain the following quantum state by per¬ 
forming a unitary about G' 2 , 


X(r 2 G J 2 ~)J2 




j©ri) 


l*>- 


Then he performs H® n and obtains the following state 

H® n X(r 2 G' 2 ~) EE a m (-l) fc ' (mG ' ien) 

k L m 

= Z(r 2 G' 2 )H® n Y^ ^a m (-l) fc ' (mG 'i® ri) 

k L m 

= Z(r 2 G' 2 ) Y a m \rnG\ ® n) 

771 

= ^a m (-l) (r 2 G 2 _ H- G i® ri )|mG ' 1 ® n), 


I k) 
I k) 


( 8 ) 


and then perform a transformation with relative to G\ , and finally obtains 
a state 

\(r 2 G' 2 _ )-(mGjffiri)| 


1) ( 


| m). 


(9) 
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During the above process, the attacker can obtain the values of r 2 (J © 
G'^G' 2 ), r i(I © G'fG'i), I © G' 2 G' 2 and / © G'{G' V However, he still can¬ 
not obtain the values of rq ,r 2 . The reason is the same as the analysis in 
Section 3.3. 

Then, whether one can extract some information about the plaintext 
J2m a m\ m ) f rom the state in Eq.(9)? 

In the original quantum McEliece PKE scheme, the attacker can trans¬ 
form the ciphertext and obtain the state X(rG'~) Ylm a m\m). By comparing 
this state with the original quantum message ’Yh m a m\'m ), they differs only 
some bit-flip errors. Thus, the original encryption scheme introduces only 
bit-flip errors, however, bit-flip errors can be seen as phase errors in conju¬ 
gate space because of HXH = Z. This is so called vulnerability discussed 
in [9]. 

When it is modified with double-encryption scheme, the attacker can ob¬ 
tain the quantum state expressed in Eq.(9). By comparing this state with 
quantum message J2 m <y m l m )> both bit-flip errors and phase errors are in¬ 
troduced. Thus, whether it is seen from the conjugate space or not, the two 
types of errors exist simultaneously. Then the vulnerability is eliminated. 
The detail arguments are as follows. 

Theorem 3: The double-encryption scheme is more secure than the 
original quantum PKE scheme in Sec. 3. 

Proof: Because the attacker can transfer the quantum cipher into the 
state Z{r 2 G' 2 ) © n) hi Eq.(9), with regard to the attacker, the 

encryption operator can be written as 

t/(rq,r 2 ) = Z(r 2 G 2 ~) | mG[ © rq)(m, 0 • • -0| 

m 

= Z(r 2 G' 2 -)X(r 1 )J2\mG[)(m,0---0\ 

m 

= Z(r 2 G' 2 -)X( ri )V, (10) 

where the operator V = |mG'i)(mO| is independent of the two error 
vectors rq, r 2 . Given the public key G[, the operator V is a constant operator. 

Remark 3: As is known from Refs. [13, 14], the encryption operator in 
private quantum channel can be written as U(a, b) = Z ( b)X(a), where a, b are 
chosen randomly, and its security depends on the randomness of a, b. Because 
V in Eq.(10) is a constant operator, the encryption operator U(ri,r 2 ) can be 
seen as a special kind of private quantum channel, where the difference lies 
in that the weight of random vectors r 1 ,r 2 is bounded by ti,t 2 separately. 
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In the original quantum McEliece PKE scheme, the encryption opera¬ 
tor can be seen as £/'(ri,r 2 ) = Z’(r 2 )X(r 1 G / 1 _ ), where r 2 = 0. The ran¬ 
dom bits of ri,r 2 in the double-encryption scheme is twice more than that 
in the original quantum McEliece PKE scheme. In other words, attack¬ 
ing the state t/(ri,r 2 ) Yh m a m\m) is more difficult than attacking the state 
U'(ri, 0) a m \m). Thus, the double-encryption scheme can improve the 
security of our quantum PKE scheme. □ 

From the above proof, one can informally conclude that 
To achieve the same security as the original quantum McEliece PKE 
scheme in Sec. 3, the double-encryption scheme requires about half of the key- 
length than the original scheme. 

Proposition 3: Multiple use of the double-encryption scheme will de¬ 
crease its security. 

Proof: In the double-encryption scheme (usually let the parameters k = 
524, n = 1024, n' = 2n = 2048), the length of ciphertext is expanded about 
4 times (n'/k ~ 4), however, the bits of random key are expanded only 3 
times ((n' + n)/n = 3). So, the ratio between the bit-length of the random 
key and the length of ciphertext would decrease approaching zero when the 
double-encryption scheme are used several times. That is, with respect to 
the length of ciphertext, the amount of key is reduced, then it means the 
security will be worse. Thus, the security will decrease when using multiple 
times of the double-encryption scheme. □ 

Remark f: Though the double-encryption scheme is more secure than the 
once-encryption scheme, it is enough to adopt once-encryption scheme (the 
scheme is given in Sec. 3) in some low level security scenario. 

Finally, it is worth to noticed that, in private quantum channel, the ran¬ 
dom numbers ri,r 2 are not locally generated, and are preshared keys. How¬ 
ever, in double-encryption scheme, r 1; r 2 are locally selected, and are random 
numbers which are used in the encryption only once. In addition, accord¬ 
ing to our scheme, two identical quantum messages may be encrypted into 
two different ciphertexts since the different random numbers r 1; r 2 are used 
every time. Thus, there are only one chance when attacking the ciphertext 
of a quantum message through quantum measurement, in other words, the 
message can be encrypted several times without loss of security. 
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5. Discussions 

There has been several attack to classical McEliece PKE. However, an at¬ 
tack to classical McEliece PKE does not mean an attack to quantum McEliece 
PKE. There are several kinds of attack to classical McEliece PKE, such as 
Korzhik-Turkin attack [15], message-resend attack and related-message at¬ 
tack [16]. Since the detail of Korzhik-Turkin attack has not been given till 
now, the efficiency of this attack is still an open problem. Because iterative 
decoding algorithm is used in the Korzhik-Turkin attack, and quantum state 
cannot be reused, it fails when attacking quantum McEliece PKE. Though 
classical McEliece PKE has to be improved to prevent message-resend attack 
and related-message attack [17], these attacks also fail while facing the quan¬ 
tum McEliece PKE protocol. Therefore, quantum McEliece PKE is more 
secure than classical McEliece PKE protocol. 

Our quantum PKE schemes are designed to encrypt quantum message 
Y2m a m\ m )■ However, if we consider the number r involved as classical mes¬ 
sage encrypted, this kind of QPKE scheme can also be regarded as ‘quantum 
envelope’ for classical message transmission. In addition, since the attacks to 
classical McEliece PKE, such as Korzhik-Turkin attack [15], message-resend 
attack and related-message attack [16], fail to attack quantum McEliece PKE, 
it is probably more secure to transmit classical information via quantum 
McEliece PKE than that via classical McEliece PKE. 

Actually, the quantum McEliece PKE scheme has ever been presented 
originally in a conference paper (see Ref. [8]). This paper investigates that 
original scheme and develops double-encryption technique to improve its se¬ 
curity. Though we only construct the quantum version of McEliece PKE, the 
method here can also be extended to construct quantum versions of other 
classical PKE schemes. The details are presented in Ref. [10]. It is worth 
to notice that some of the schemes in Ref. [10] do not have post-quantum 
security. 

The other quantum McEliece PKE proposed by Fujita [9] is based on 
quantum coding. The security of both Fujita’s and our schemes depends on 
the difficulty of solving NPC problem. Fujita [9] pointed out a vulnerabil¬ 
ity of our scheme in Ref. [8], however, it has been improved in this paper. 
Ref. [9] argued that the PKE scheme in Ref. [8] is insecure while encrypting 
classical messages. Here we have clarified it in Sec. 3.3. In addition, we 
would like to mention that it is sufficient to adopt the original PKE scheme 
proposed in Ref. [8] in some low-level security scenario besides encrypting 
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classical messages. Finally, we would argue that, our scheme is more simple 
than Fujita’s scheme. The reason is as follows: Fujita’s scheme is based on 
quantum error correction code and the encoding can correct quantum errors, 
while our scheme is based on classical error correction code and does not 
have the ability of quantum error correction; This means correcting quan¬ 
tum error is not the necessary functionality in quantum public-key cryp¬ 
tosystems; Our scheme removes this redundant functionality, and makes the 
encoding/decoding more simple. 

6. Conclusions 

Quantum version of McElicce PKE is analyzed and is at least as secure 
as their classical counterparts, and, at the same time, are also shown that 
they cannot be more secure than related one-way function. We also suggest 
double-encryption scheme to improve the security of the QPKE protocol, 
and analyze its security would decrease while multiply applying the double¬ 
encryption scheme. 
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Appendix 

Ref. [1] introduces a const ant-weight coding algorithm which can encode 
each /e-bit messages m to a n-bit string w(m) = e±e 2 ■ ■ ■ e n of the same weight 
t, and different messages has different codes. This algorithm can be modified 
to be a quantum encoding alogrithm which implements the transformation 



(• 1 ) 


m 


m 


The number of qubits changes after the above transformation. It is worth 
to explain why this quantum transformation is valid. Because the encoding 
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algorithm m — y w(m ) is a reversible computing, and both the two-way com¬ 
puting can be implemented efficiently, the following two steps of quantum 
computing can also be implemented efficiently: 

J2 a m\m)\0) -> \m)\w(m)) 

m m 

-<• i°>E a m \w(m)). 

m 

Thus, the quantum encoding alogrithm can be written as the Eq.(.l). How¬ 
ever, this is not valid for general computation. We prove it in the following 
propositions 4 and 5. 

Proposition 4: Quantum transformation &m\ w ( m )) ~t 
is infeasible physically, where H is n x k (n > k) binary matrix, and w{m ) G 
{0, l} n is a const ant-weight code of m. 

Clearly, the computing w{m ) —> w(m)H can be implemented by a poly¬ 
nomial size classical circuit. However, the reverse computing cannot been 
finished, because the n x k(n > k) matrix H does not have right inverse. 
Thus, we cannot express the quantum transformation Yhm a m\w{rn)) —* 

Next, we give a strict demonstration. 

Proof: The computing w(m) —> w(m)H,\/m, changes n-bit string into 
fc-bit string. Because k < n, it can be think as this: for arbitrary n-bit string 
w(m), its last n — k- bit information is erasured into zeroes and the former 
k bits is changed to w(m)H. This means, there exist a n x (n — k) binary 
matrix A, such as 

w(m)[H\A] = [w(m)H |0 • • • 0], for all n—bit constant weight code. (.2) 

Thus, w(m)A = 0 • • -0, Vm. Then there exists a n x (n — k) binary matrix 
A such that, each column of A (denoted as aj) is orthogonal with arbitrary 
w(m). Because w(m) is a n-bit constant-weight code of weight t (t < n), any 
t elements of any a 3 is summed to 0(mod2). 

If t is even, any aj must be either all-zero vector or all-one vector; If t 
is odd, aj must be all-zero vector. Thus, when t is even, each column of A 
must be either all-zero vector or all-one vector; When t is odd, each column 
of A must be all-zero vector. No matter which condition happens, the n x n 
matrix [-H|A] cannot be unitary. So, it is infeasible to physically implement 
the quantum transformation \w(m)) —$■ J2 m o: m \w(m)H). 
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The result can be extended to the general case. 

Proposition 5: Quantum transformation '^2 rn oi rn \m) — V J2 m ct m \mH) 
is infeasible physically, where H is a n x k (n > k) binary matrix, and 
m G {0, l} n . 

Proof: The proof is similar to Proposition 4. In the same way, there 
exist a n x (n — k) binary matrix A, such as mA = 0 • • -0, Vm e {0, l} n . 
Then the matrix A is the all-zero matrix, and the nxn matrix cannot 

be unitary. So, it is infeasible to physically implement the quantum trans¬ 
formation m) —» 'Yha m \mH). In other words, the transformation 

m m 

n—k 

T = | 0 • • -0,mi/)(m| is infeasible in physical implementation. 

In fact, when part of the amplitudes a m ,m G {0, l} n are set to zeroes, 
Proposition 5 would degenerate to Proposition 4. 
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